The EU’s General Data Protection Regulation (GDPR) will come into force on 25 May 2018, bringing about a number of significant changes in how organisations process, manage and store personal data. Even though the UK is heading for Brexit, we will still be a member of the EU so British employers need to be prepared for the impact of the GDPR.
What is GDPR?
The GDPR is a major update to the EU’s existing data protection rules, designed to reflect some of the defining trends of recent years such as globalisation and accelerating growth in digital technology. Its intention is to strengthen and unify data protection for individuals within the EU. Additionally, this will also apply to any company processing the personal data of EU citizens in relation to the delivery of goods or behaviour monitoring.
The GDPR will enforce several changes that employers – specifically HR departments – will need to be aware of when processing and handling employee data.
‘Data protection by design’ is among these in which employers are required to make data protection risks a key part of the process in designing and operating policies, processes, products and services. The GDPR also mandates ‘data protection by default’, which states that only the personal data required for each specific purpose should be collected and processed.
Another concept that falls under the umbrella of the GDPR is consent. Questions have been raised about the idea of employers processing personal data based on employee consent, given the imbalance of power in the employer/employee relationship. When the GDPR takes effect, organisations will have to comply with stricter requirements to ensure that consent is “freely given, informed, specific and explicit”.
As far as providing information for staff members and job applicants is concerned, the new regulations will require employers to go into much more detail. From 25 May 2018, information that organisations will have to provide will include:
- The identity and contact details of the employer (the data controller).
- Contact details for the data protection officer if the company has one.
- The recipients of the data.
- How long the data will be stored for.
- The rights of the individual employee or applicant, including rights to access, rectify and request erasure of data.
Companies are required to issue notifications of data breaches within 72 hours of becoming aware of them is another key element of the GDPR. So regarding compliance, there will be much stricter penalties for those organisations that don’t adhere to the new rules. Fines could be as high as €20 million (currently £17.7 million) or four per cent of total worldwide annual turnover, whichever is higher, so being ready to comply is extremely important.
A recent report from cybersecurity firm Kaspersky Lab showed that only half (50%) of businesses feel prepared for GDPR. The company said it is “hugely concerning” that half of the companies surveyed don’t feel ready for the regulatory change, considering “just how important it is”.
Speaking at a roundtable hosted by Kaspersky Lab, Sue Daley, head of cloud, data, analytics and artificial intelligence at techUK, said firms providing training on this topic need to look for ways to make it “real” for their staff. She added: “The first step is to talk about it and get people to understand what it means.”
At the same event, Caroline Hinton, head of HR at radio production company Somethin’ Else, said companies should view GDPR compliance not as a “tick-box exercise”, but something that is specifically designed and made relevant for certain roles and departments.
The British Chambers of Commerce outlined some key steps businesses should be taking now, which include:
- Documenting the personal data that the company holds, where it came from and who it is shared with.
- Reviewing current privacy notices and planning for changes required before the implementation deadline.
- Checking procedures to guarantee individual rights outlined under the GDPR, such as the deletion of personal data and the electronic provision of data.
- Determining whether the organisation requires a data protection officer.
BCC executive director David Riches urged businesses to “be proactive” in complying with the GDPR to avoid financial penalties and public scrutiny. He also reassured those firms that are already vigilant about their data protection responsibilities that they “won’t be unduly burdened by the new legislation”.
If you are unsure and would like some further hands on advice, feel free to call the offices on 0207 993 8661, email us on firstname.lastname@example.org or alternatively come down and visit the offices in Farringdon London.